Matthias Gerstner changed bug 1120189
What Removed Added
CC   mrueckert@suse.com

Comment # 4 on bug 1120189 from
It looks like the 389-ds package is not yet prepared to handle the capability
setting correctly. It also fails in the devel project for the same reason at
the moment.

There was no explicit request to backport this permission setting to SLE-15,
but I synced the permissions package in SLE-15-SP1 with Factory to avoid a
bunch of backports.

Correctly using the CAP_NET_BIND_SERVICE capability would be an improvement
for SLE-15-SP1, too. It shouldn't be too much effort to get it working. The
capability bit for ns-slapd is set anyways even in SLE-15:GA already, even if
it not actually used.

>From the security perspective we've reviewed 389-ds version 1.4.0.18 in bug
1111564. In SLE-15-SP1 we have version 1.4.03. 1.4.0.18 contains only
maintenance changes and it looks like no major changes in the area of the
initialization code are existing. Therefore it should be safe to apply the
capability bit there as well.


You are receiving this mail because: